Join Early Retirement Today
Reply
 
Thread Tools Search this Thread Display Modes
Security Lapses at Vanguard, Schwab
Old 08-11-2015, 12:04 AM   #1
Thinks s/he gets paid by the post
Onward's Avatar
 
Join Date: Jul 2009
Posts: 1,667
Security Lapses at Vanguard, Schwab

Pesky security questions...

Security Lapses at Vanguard, Schwab Could Put 401K Money at Risk - Video - TheStreet
__________________

__________________
And if I claim to be a wise man, it surely means that I don't know.
Onward is offline   Reply With Quote
Join the #1 Early Retirement and Financial Independence Forum Today - It's Totally Free!

Are you planning to be financially independent as early as possible so you can live life on your own terms? Discuss successful investing strategies, asset allocation models, tax strategies and other related topics in our online forum community. Our members range from young folks just starting their journey to financial independence, military retirees and even multimillionaires. No matter where you fit in you'll find that Early-Retirement.org is a great community to join. Best of all it's totally FREE!

You are currently viewing our boards as a guest so you have limited access to our community. Please take the time to register and you will gain a lot of great new features including; the ability to participate in discussions, network with our members, see fewer ads, upload photographs, create a retirement blog, send private messages and so much, much more!

Old 08-11-2015, 06:40 AM   #2
Recycles dryer sheets
prototype's Avatar
 
Join Date: Mar 2011
Posts: 173
These days it seems that no "computer system" connected to the internet is 100% secure (e.g. OMB, HD, Target, IRS,...the list seems almost infinite these days).

I have no idea how I would react if I logged into my Vanguard Account and saw all my accounts were all $0.00.
__________________

__________________
prototype is offline   Reply With Quote
Old 08-11-2015, 07:19 AM   #3
Give me a museum and I'll fill it. (Picasso)
Give me a forum ...
easysurfer's Avatar
 
Join Date: Jun 2008
Posts: 7,888
Agree especially with the part of the companies needing to balance security vs ease of access.
__________________
Have you ever seen a headstone with these words
"If only I had spent more time at work" ... from "Busy Man" sung by Billy Ray Cyrus
easysurfer is online now   Reply With Quote
Old 08-11-2015, 07:23 AM   #4
Recycles dryer sheets
jetpack's Avatar
 
Join Date: Aug 2013
Posts: 317
Sounds like they allow spelling errors in security questions..
With the 2-factor authentication, I don't see this as a problem.
I would like to see a little more focus on their site though.
__________________
jetpack is offline   Reply With Quote
Old 08-11-2015, 01:56 PM   #5
Recycles dryer sheets
 
Join Date: May 2015
Location: Atlanta suburbs
Posts: 350
In the interview (thanks for sharing that link) I heard where they say your password should not be used elsewhere, but they didn't say anything about having the same username at multiple sites. That is also probably not a good idea.

My (old) company used Vanguard for the 401-k and I had a specific username to access it. Then my company changed the 401 k to Fidelity and the access to the Fidelity 401-k had the same username. Today I went to the Vanguard web site today to see if I could change my username and in my initial checking I could not see how to change my username. I will probably call Vanguard in a day or two to check about this, unless somebody here reports they have done this.
__________________
DEC-1982 is offline   Reply With Quote
Old 08-11-2015, 02:41 PM   #6
Thinks s/he gets paid by the post
target2019's Avatar
 
Join Date: Dec 2008
Posts: 3,708
From Vanguard:
Quote:
What if I forgot my user name?

If you don't remember your user name, go to the Forgot user name screen. After you verify your identity, we'll send your user name to the registered e-mail address on file.

If you need to change your user name, you'll need to re-register. After you've re-registered, you'll have immediate access to your accounts; however, we'll place a seven-day hold on terminations, withdrawals, electronic bank transfers, and dividend elections processed online. We'll still process all other transactions, including loans via check, during this seven-day hold.
Whatever.

1. Rotate your password frequently.
2. Use two-factor authentication (security code sent to your phone).
__________________
target2019 is offline   Reply With Quote
Old 08-11-2015, 03:00 PM   #7
Recycles dryer sheets
 
Join Date: May 2015
Location: Atlanta suburbs
Posts: 350
Quote:
Originally Posted by target2019 View Post
From Vanguard:
If you need to change your user name, you'll need to re-register.

Thanks. This process of re-registering worked, and I now have a new username/password.
__________________
DEC-1982 is offline   Reply With Quote
Old 08-11-2015, 10:26 PM   #8
Recycles dryer sheets
 
Join Date: Feb 2014
Location: SF Bay Area
Posts: 252
Quote:
Originally Posted by prototype View Post
These days it seems that no "computer system" connected to the internet is 100% secure (e.g. OMB, HD, Target, IRS,...the list seems almost infinite these days).

I have no idea how I would react if I logged into my Vanguard Account and saw all my accounts were all $0.00.
Truth...although in my case, the crook would add insult to injury.... balance would be $0.01
__________________
"The only function of economic forecasting is to make astrology look respectable"
- J.K. Galbraith
FireBug is offline   Reply With Quote
Old 08-12-2015, 06:54 AM   #9
Thinks s/he gets paid by the post
target2019's Avatar
 
Join Date: Dec 2008
Posts: 3,708
Thinking some more about the "security lapses" mentioned in the opening article...

What is in play is a fuzzy matching function, where the authentication service is allowing some "fuzziness" about your answers to challenge questions. It is not really a security lapse, but an example of a defense mechanism that has options to allow for the common errors we make.
__________________
target2019 is offline   Reply With Quote
Old 08-12-2015, 08:58 AM   #10
Give me a museum and I'll fill it. (Picasso)
Give me a forum ...
 
Join Date: Apr 2013
Posts: 5,580
I agree. My mother's maiden name is very common, I've never worried about it as it's a unusual spelling. I've never been asked how to spell her maiden name. That false sense of security is gone.
__________________
MRG is online now   Reply With Quote
Old 08-12-2015, 09:35 AM   #11
Thinks s/he gets paid by the post
 
Join Date: Mar 2010
Location: Kerrville,Tx
Posts: 2,718
Quote:
Originally Posted by MRG View Post
I agree. My mother's maiden name is very common, I've never worried about it as it's a unusual spelling. I've never been asked how to spell her maiden name. That false sense of security is gone.
The problem with using the mothers maiden name as authentication mechanism comes if your mother has passed on and her maiden name is the the obituary. Obituaries also contain the names of children and typically the city where the children live. Thus with sites like find a grave that post obits for folks it is possible to get this information. It always was in some sense findable at libraries but you would have to have gone to the newspaper for the city where your mother died, thus the likely need to go to the library for the town in question.
__________________
meierlde is online now   Reply With Quote
Old 08-12-2015, 09:37 AM   #12
Thinks s/he gets paid by the post
mpeirce's Avatar
 
Join Date: Feb 2012
Location: Columbus area
Posts: 1,590
The only way I answer security questions is with answers that have nothing to do with the question.

Mother's maiden name? Blue
The name of your first pet? Box
What was you high school mascot? Roof

My only rule is to use words that are easy to spell.

Of course, I need to keep a list. The list is encrypted and kept in an obvious place...
__________________
mpeirce is offline   Reply With Quote
Old 08-12-2015, 10:25 AM   #13
Full time employment: Posting here.
 
Join Date: Nov 2010
Posts: 588
I want extremely high security. With all my eggs in one mutual fund basket, I don't want to leave that basket out for rats to get in to. Thirteen random letters/number/symbols in my password and call back verification to foil any keyloggers.
With my keyboard, that gives 100 + possibilities to the 13th power. According to security blogs, that should take a thousand years of running computers to brute force through. Any hijacking would have to come from inside a mutual fund company.

I like the idea of resetting my name to randomness and random security answers.

Call me a random dude El Dan dee born on the 40 th of july.

Any other good ideas?
__________________
devans0 is offline   Reply With Quote
Old 08-12-2015, 11:23 AM   #14
Thinks s/he gets paid by the post
target2019's Avatar
 
Join Date: Dec 2008
Posts: 3,708
I use a random login and random password.
Added two-factor authentication.

Watch your in-home devices, router, and passwords.

Encrypt your password file or use an app for that storage.

There's usually an insider involved. So your insider could be a keylogger, "trusted" neighbor, relative...
__________________
target2019 is offline   Reply With Quote
Old 08-13-2015, 07:43 AM   #15
Recycles dryer sheets
jetpack's Avatar
 
Join Date: Aug 2013
Posts: 317
wondering how Fuzzy the answers can be. I tried one missing letter and it worked. I'll have to test that more.

For those of you that want more security in Vanguard account:
turn on "Restrict account access from unrecognized devices"
use 2-factor authentication (security codes)
Use long unique username
Use long unique password
use long unique security question answers (not your actual info)
set up sms alerts and make sure they are on for transactions
make sure you phone has a pin lock on it


Some ideas for Vanguard to make it even more secure
Have account login history with IP
Show which devices are authorized and allow deauthorization
Improve verbal authentication on outbound calls
biometric identification in app.
bounty program for reporting security flaws
__________________
jetpack is offline   Reply With Quote
Old 08-13-2015, 08:49 AM   #16
gone traveling
 
Join Date: Sep 2013
Posts: 1,248
Protect Your Investment Accounts With A Security Token: Fidelity, Schwab, E*Trade, Vanguard

Fidelity just started protection of 401k accounts with Hardware keys.
__________________
eta2020 is offline   Reply With Quote
Old 08-13-2015, 11:25 AM   #17
Thinks s/he gets paid by the post
Gotadimple's Avatar
 
Join Date: Feb 2007
Posts: 1,761
Quote:
Originally Posted by eta2020 View Post
Protect Your Investment Accounts With A Security Token: Fidelity, Schwab, E*Trade, Vanguard

Fidelity just started protection of 401k accounts with Hardware keys.
Some of the links within the article are no longer available, but a search at the investment company's website for security token will take you to a page describing security actions.

Schwab customers can call Customer Service for a token.

Rita
__________________
Only got A dimple, would have preferred 2!
Gotadimple is offline   Reply With Quote
Old 08-13-2015, 11:51 AM   #18
Thinks s/he gets paid by the post
mpeirce's Avatar
 
Join Date: Feb 2012
Location: Columbus area
Posts: 1,590
I moved some money out of a Schwab account recently using a wire transfer (they're free at Schwab) and I was pleased to see that they called me to verify that I was actually making the transfer.

The only problem was DD's bank charged her to receive it :-(
__________________
mpeirce is offline   Reply With Quote
Old 08-13-2015, 12:39 PM   #19
Thinks s/he gets paid by the post
 
Join Date: May 2008
Posts: 3,422
So Vanguard needs to update their iOS apps. to support login with Finger ID. All other banks have done it.

Not saying Finger ID would be more secure than 2-factor. Indeed, you should have to authenticate on device with Finger ID and then still input the code in.
__________________
explanade is offline   Reply With Quote
Old 08-15-2015, 08:40 AM   #20
Full time employment: Posting here.
GTFan's Avatar
 
Join Date: Apr 2013
Location: Atlanta
Posts: 636
Quote:
Originally Posted by eta2020 View Post
Protect Your Investment Accounts With A Security Token: Fidelity, Schwab, E*Trade, Vanguard

Fidelity just started protection of 401k accounts with Hardware keys.
The last thing I want is hardware tokens for every account that I have to keep up with. Two-factor auth using your phone is good enough, methinks.
__________________

__________________
GTFan is offline   Reply With Quote
Reply


Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Vanguard or Schwab????? Watertree FIRE and Money 26 02-18-2014 08:34 AM
Schwab vs. Fidelity vs. Vanguard panacea FIRE and Money 21 10-04-2011 09:46 PM
Vanguard, Fidelity or Schwab? Midpack FIRE and Money 3 11-13-2010 08:18 AM
who is better - schwab, fidelity or vanguard bobbee25 FIRE and Money 28 03-10-2009 05:49 PM
Vanguard vs. Fidelity vs. Schwab vs. etc. etc. Mikedb Hi, I am... 2 10-08-2008 10:03 PM

 

 
All times are GMT -6. The time now is 10:58 PM.
 
Powered by vBulletin® Version 3.8.8 Beta 1
Copyright ©2000 - 2017, vBulletin Solutions, Inc.